CentOS System Disk Encryption

Abstract

Disk encryption rises due to the need of protecting the information by converting it into unreadable code that cannot be deciphered easily. It uses hardware or software to encrypt bit by bit all data that goes on a disk. The Linux Unified Key Setup (LUKS) is a disk encryption software, that implements a platform-independent standard on-disk format for use in various tools.

The Policy-Based Decryption (PBD) is a collection of technologies that enable unlocking encrypted root and secondary volumes of hard drives on physical and virtual machines using different methods like a user password, a Trusted Platform Module (TPM) device, a PKCS11 device connected to a system, for example, a special network server. The PBD as technology allows combining different unlocking methods into a policy creating an ability to unlock the same volume in different ways. The current implementation of the PBD in Red Hat Enterprise Linux consists of the Clevis framework and plugins called pins. Each pin provides a separate unlocking capability. For now, the only two pins available are the ones that allow volumes to be unlocked with TPM or with a network server.

The Network Bound Disk Encryption (NBDE) is a subcategory of the PBD technologies that allows binding the encrypted volumes to a special network server. The current implementation of the NBDE includes a Clevis pin for the Tang server and the Tang server itself.

Based on these tools, the Servers System Disk will be encrypted and when they boot, they will request decryption to a centralized server that withholds the Decryption key, avoiding the password prompt at boot.